11.8. Real-Time Communication Services

Real-Time Communication (RTC) services include voice, video/webcam, instant messaging (IM) and desktop sharing. This chapter gives a brief introduction to three of the services required to operate RTC, including a TURN server, SIP server and XMPP server. Comprehensive details of how to plan, install and manage these services are available in the Real-Time Communications Quick Start Guide which includes examples specific to Debian.

http://rtcquickstart.org

Both SIP and XMPP can provide the same functionality. SIP is slightly more well known for voice and video while XMPP is traditionally regarded as an IM protocol. In fact, they can both be used for any of these purposes. To maximize connectivity options, it is recommended to run both in parallel.

These services rely on X.509 certificates both for authentication and confidentiality purposes. See 第 10.2.1.1 节 “公钥基础设施:easy-rsa for details on how to create them. Alternatively the Real-Time Communications Quick Start Guide also has some useful explanations:

http://rtcquickstart.org/guide/multi/tls.html

11.8.1. DNS settings for RTC services

RTC services require DNS SRV and NAPTR records. A sample configuration that can be placed in the zone file for falcot.com:

  1. ; the server where everything will run
  2. server1 IN A 198.51.100.19
  3. server1 IN AAAA 2001:DB8:1000:2000::19
  4.  
  5. ; IPv4 only for TURN for now, some clients are buggy with IPv6
  6. turn-server IN A 198.51.100.19
  7.  
  8. ; IPv4 and IPv6 addresses for SIP
  9. sip-proxy IN A 198.51.100.19
  10. sip-proxy IN AAAA 2001:DB8:1000:2000::19
  11.  
  12. ; IPv4 and IPv6 addresses for XMPP
  13. xmpp-gw IN A 198.51.100.19
  14. xmpp-gw IN AAAA 2001:DB8:1000:2000::19
  15.  
  16. ; DNS SRV and NAPTR for STUN / TURN
  17. _stun._udp IN SRV 0 1 3467 turn-server.falcot.com.
  18. _turn._udp IN SRV 0 1 3467 turn-server.falcot.com.
  19. @ IN NAPTR 10 0 "s" "RELAY:turn.udp" "" _turn._udp.falcot.com.
  20.  
  21. ; DNS SRV and NAPTR records for SIP
  22. _sips._tcp IN SRV 0 1 5061 sip-proxy.falcot.com.
  23. @ IN NAPTR 10 0 "s" "SIPS+D2T" "" _sips._tcp.falcot.com.
  24.  
  25. ; DNS SRV records for XMPP Server and Client modes:
  26. _xmpp-client._tcp IN SRV 5 0 5222 xmpp-gw.falcot.com.
  27. _xmpp-server._tcp IN SRV 5 0 5269 xmpp-gw.falcot.com.

11.8.2. TURN Server

TURN is a service that helps clients behind NAT routers and firewalls to discover the most efficient way to communicate with other clients and to relay the media streams if no direct media path can be found. It is highly recommended that the TURN server is installed before any of the other RTC services are offered to end users.

TURN and the related ICE protocol are open standards. To benefit from these protocols, maximizing connectivity and minimizing user frustration, it is important to ensure that all client software supports ICE and TURN.

For the ICE algorithm to work effectively, the server must have two public IPv4 addresses.

11.8.2.1. Install the TURN server

Install the resiprocate-turn-server package.

Edit the /etc/reTurn/reTurnServer.config configuration file. The most important thing to do is insert the IP addresses of the server.

  1. # your IP addresses go here:
  2. TurnAddress = 198.51.100.19
  3. TurnV6Address = 2001:DB8:1000:2000::19
  4. AltStunAddress = 198.51.100.20
  5. # your domain goes here, it must match the value used
  6. # to hash your passwords if they are already hashed
  7. # using the HA1 algorithm:
  8. AuthenticationRealm = myrealm
  9.  
  10. UserDatabaseFile = /etc/reTurn/users.txt
  11. UserDatabaseHashedPasswords = true

Restart the service.

11.8.2.2. Managing the TURN users

Use the htdigest utility to manage the TURN server user list.

  1. #

Use the HUP signal to make the server reload the /etc/reTurn/users.txt file after changing it or enable the automatic reload feature in /etc/reTurn/reTurnServer.config.

11.8.3. SIP Proxy Server

A SIP proxy server manages the incoming and outgoing SIP connections between other organizations, SIP trunking providers, SIP PBXes such as Asterisk, SIP phones, SIP-based softphones and WebRTC applications.

It is strongly recommended to install and configure the SIP proxy before attempting a SIP PBX setup. The SIP proxy normalizes a lot of the traffic reaching the PBX and provides greater connectivity and resilience.

11.8.3.1. Install the SIP proxy

Install the repro package. Using the package from jessie-backports is highly recommended, as it has the latest improvements for maximizing connectivity and resilience.

Edit the /etc/repro/repro.config configuration file. The most important thing to do is insert the IP addresses of the server. The example below demonstrates how to setup both regular SIP and WebSockets/WebRTC, using TLS, IPv4 and IPv6:

  1. # Transport1 will be for SIP over TLS connections
  2. # We use port 5061 here but if you have clients connecting from
  3. # locations with firewalls you could change this to listen on port 443
  4. Transport1Interface = 198.51.100.19:5061
  5. Transport1Type = TLS
  6. Transport1TlsDomain = falcot.com
  7. Transport1TlsClientVerification = Optional
  8. Transport1RecordRouteUri = sip:falcot.com;transport=TLS
  9. Transport1TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
  10. Transport1TlsCertificate = /etc/ssl/public/falcot.com.pem
  11.  
  12. # Transport2 is the IPv6 version of Transport1
  13. Transport2Interface = 2001:DB8:1000:2000::19:5061
  14. Transport2Type = TLS
  15. Transport2TlsDomain = falcot.com
  16. Transport2TlsClientVerification = Optional
  17. Transport2RecordRouteUri = sip:falcot.com;transport=TLS
  18. Transport2TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
  19. Transport2TlsCertificate = /etc/ssl/public/falcot.com.pem
  20.  
  21. # Transport3 will be for SIP over WebSocket (WebRTC) connections
  22. # We use port 8443 here but you could use 443 instead
  23. Transport3Interface = 198.51.100.19:8443
  24. Transport3Type = WSS
  25. Transport3TlsDomain = falcot.com
  26. # This would require the browser to send a certificate, but browsers
  27. # don't currently appear to be able to, so leave it as None:
  28. Transport3TlsClientVerification = None
  29. Transport3RecordRouteUri = sip:falcot.com;transport=WSS
  30. Transport3TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
  31. Transport3TlsCertificate = /etc/ssl/public/falcot.com.pem
  32.  
  33. # Transport4 is the IPv6 version of Transport3
  34. Transport4Interface = 2001:DB8:1000:2000::19:8443
  35. Transport4Type = WSS
  36. Transport4TlsDomain = falcot.com
  37. Transport4TlsClientVerification = None
  38. Transport4RecordRouteUri = sip:falcot.com;transport=WSS
  39. Transport4TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
  40. Transport4TlsCertificate = /etc/ssl/public/falcot.com.pem
  41.  
  42. # Transport5: this could be for TCP connections to an Asterisk server
  43. # in your internal network. Don't allow port 5060 through the external
  44. # firewall.
  45. Transport5Interface = 198.51.100.19:5060
  46. Transport5Type = TCP
  47. Transport5RecordRouteUri = sip:198.51.100.19:5060;transport=TCP
  48.  
  49. HttpBindAddress = 198.51.100.19, 2001:DB8:1000:2000::19
  50. HttpAdminUserFile = /etc/repro/users.txt
  51.  
  52. RecordRouteUri = sip:falcot.com;transport=tls
  53. ForceRecordRouting = true
  54. EnumSuffixes = e164.arpa, sip5060.net, e164.org
  55. DisableOutbound = false
  56. EnableFlowTokens = true
  57. EnableCertificateAuthenticator = True

Use the htdigest utility to manage the admin password for the web interface. The username must be admin and the realm name must match the value specified in repro.config.

  1. #

Restart the service to use the new configuration.

11.8.3.2. Managing the SIP proxy

Go to the web interface at http://sip-proxy.falcot.com:5080 to complete the configuration by adding domains, local users and static routes.

The first step is to add the local domain. The process must be restarted after adding or removing domains from the list.

The proxy knows how to route calls between local users and full SIP address, the routing configuration is only necessary for overriding default behavior, for example, to recognize phone numbers, add a prefix and route them to a SIP provider.

11.8.4. XMPP Server

An XMPP server manages connectivity between local XMPP users and XMPP users in other domains on the public Internet.

VOCABULARY XMPP or Jabber?

XMPP is sometimes referred to as Jabber. In fact, Jabber is a trademark and XMPP is the official name of the standard.

Prosody is a popular XMPP server that operates reliably on Debian servers.

11.8.4.1. Install the XMPP server

Install the prosody package. Using the package from jessie-backports is highly recommended, as it has the latest improvements for maximizing connectivity and resilience.

Review the /etc/prosody/prosody.cfg.lua configuration file. The most important thing to do is insert JIDs of the users who are permitted to manage the server.

  1. admins = { "joe@falcot.com" }

An individual configuration file is also needed for each domain. Copy the sample from /etc/prosody/conf.avail/example.com.cfg.lua and use it as a starting point. Here is falcot.com.cfg.lua:

  1. VirtualHost "falcot.com"
  2. enabled = true
  3. ssl = {
  4. key = "/etc/ssl/private/falcot.com-key.pem";
  5. certificate = "/etc/ssl/public/falcot.com.pem";
  6. }

To enable the domain, there must be a symlink from /etc/prosody/conf.d/. Create it that way:

  1. #

Restart the service to use the new configuration.

11.8.4.2. Managing the XMPP server

Some management operations can be performed using the prosodyctl command line utility. For example, to add the administrator account specified in /etc/prosody/prosody.cfg.lua:

  1. # prosodyctl adduser joe@falcot.com

See the Prosody online documentation for more details about how to customize the configuration.

11.8.5. Running services on port 443

Some administrators prefer to run all of their RTC services on port 443. This helps users to connect from remote locations such as hotels and airports where other ports may be blocked or Internet traffic is routed through HTTP proxy servers.

To use this strategy, each service (SIP, XMPP and TURN) needs a different IP address. All the services can still be on the same host as Linux supports multiple IP addresses on a single host. The port number, 443, must be specified in the configuration files for each process and also in the DNS SRV records.

11.8.6. Adding WebRTC

Falcot wants to let customers make phone calls directly from the web site. The Falcot administrators also want to use WebRTC as part of their disaster recovery plan, so staff can use web browsers at home to log in to the company phone system and work normally in an emergency.

IN PRACTICE Try WebRTC

If you have not tried WebRTC before, there are various sites that give an online demonstration and test facilities.

http://www.sip5060.net/test-calls

WebRTC is a rapidly evolving technology and it is essential to use packages from the jessie-backports or Testing distributions.

JSCommunicator is a generic, unbranded WebRTC phone that does not require any server-side scripting such as PHP. It is built exclusively with HTML, CSS and JavaScript. It is the basis for many other WebRTC services and modules for more advanced web publishing frameworks.

http://jscommunicator.org

The package jscommunicator-web-phone is the quickest way to install a WebRTC phone into a web site. It requires a SIP proxy with a WebSocket transport. The instructions in 第 11.8.3.1 节 “Install the SIP proxy” include the necessary details to enable the WebSocket transport in the repro SIP proxy.

安装 jscommunicator-web-phone后,有多种使用方式。简单手段是包含或者复制 /etc/jscommunicator-web-phone/apache.conf中的配置来作为 Apache 虚拟主机配置。

Once the web-phone files are available in the web server, customize the /etc/jscommunicator-web-phone/config.js to point at the TURN server and SIP proxy. For example:

  1. JSCommSettings = {
  2.  
  3. // 网络环境
  4. webserver: {
  5. url_prefix: null //如果设定,前缀常常构建 sound/ URL 地址
  6. },
  7.  
  8. // STUN/TURN 媒体中继服务器
  9. stun_servers: [],
  10. turn_servers: [
  11. { server:"turn:turn-server.falcot.com?transport=udp", username:"joe", password:"j0Ep455d" }
  12. ],
  13.  
  14. // WebSocket 连接
  15. websocket: {
  16. // 注意:我们使用 falcot.com 域名凭证,端口 8443
  17. // 这与 Transport3 和 Transport4 案例匹配,
  18. // 见 falcot.com repro.config 文件
  19. servers: 'wss://falcot.com:8443',
  20. connection_recovery_min_interval: 2,
  21. connection_recovery_max_interval: 30
  22. },
  23.  
  24. ...

More advanced click-to-call web sites typically use server-side scripting to generate the config.js file dynamically. The DruCall source code demonstrates how to do this with PHP.

This chapter sampled only a fraction of the available server software; however, most of the common network services were described. Now it is time for an even more technical chapter: we’ll go into deeper detail for some concepts, describe massive deployments and virtualization.